China has released an update to the standards governing personal information, offering new clarity for tech companies including those using biometric data for facial recognition applications.
Why it matters: Companies have been blasted for misuse of data, and even had their apps removed from app stores.
- These standards will apply to personal information collection and usage across the board.
- With more clarity on legal boundaries, tech companies can now proceed with development of facial recognition and other technology.
- “Those who drafted have realized the sensitivity and importance of biometric information, so it receives more protection now,” said Samuel Yang, a data privacy and cybersecurity lawyer and partner at AnJie law firm.
Details: Jointly released by the State Administration of Market Regulation and the State Standards Management Commission, the “Personal Information Security Standards” go into effect Oct. 1, 2020.
- The latest changes include requiring collectors of biometric data to inform each subject of the purpose, method, and scope of collection and usage, as well as length of time the information will be stored. It also requires that users give express consent.
- The standards recommend storing biometric information separately from personally identifiable information, and refraining from storing biometric information on principle—for instance, deleting original images after extracting the relevant data.
- The previous version said biometric information could be stored if there were adequate technical security measures in place, said Yang.
- There are additional “restrictions on user portraits” and “convergence of personal information collected based on different business purposes” and “management of third-party access.”
- Companies should not refuse to provide access to functions or reduce service quality if users do not consent, and should obtain their active consent in an itemized way through pop-ups, prompts, or other options.
- This revision is just one of many regulatory initiatives to delineate what is and isn’t allowed, including laws on personal information protection and data security which lawmakers begin drafting this year.
- Technological developments like smartphone cameras with resolutions high enough to capture a fingerprint from people making “V” signs raise new questions for biometric data collection.
- Experts have called out apps like Meitu, a popular beautifying app, for excessive collection of biometric data.
- Last year, Beijing Normal University professor Liu Deliang said that much of the legislation on individual biological information consisted of legal vacuums, and lacked measures that could be applied.
Update: added comments from Samuel Yang from AnJie law firm.